578.4

Question 1

What is Human operated ransomware?

Answer 1

HOR is a class of ransomware attacks where the adversary penetrates the network and tailors operation to the victim.

Question 2

Threat Intelligence Platforms (TIPs)

Answer 2

MISP
Threat_Note
CRITs
ThreatConnect
ThreatQuotient
Anomali
EclecticIQ

Question 3

What does MISP stand for?

Answer 3

Malware Information Sharing Platform.

Has a focus on IOCs and automation. Supports multiple formats to support. Open source with optional fees for professional support.

MISP has a strong usage in Europe due to a number of CERT’s active involvement.

Question 4

Best practices of storing threat intel infos

Answer 4

• Make a common format
• Make the method scaleable
• Make the method secure
• Make the method shareable

Question 5

Logical fallacies (logische Irrtümer)

Answer 5

Logical fallacies are flaws in reason. They often appear in cyber threat intelligence assessments. There are two main types:

• Anecdotal Fallacy
• Appeal to Probability

They occur when arguments do not logcially make sense.

Question 6

Fallacies: Anecdotal Fallacy

Answer 6

Personal Experience is used over Compelling Evidence.

“I worked an incident like this before and it was China, so your analysis that it’s not must be wrong”.

Question 7

Fallacies: Appeal to Probability

Answer 7

Making a determination based on what’s most likely the case.

“Russia is hacking everything these days, so the intrusion is likely Russia based”.

Question 8

Common CTI informal fallacies

Answer 8

• Appeal to the stone
• Argument from Silence
• Argument from repetition

Others:

• Burden of Proof
• Middle Ground

Question 9

Fallacies: Appeal to the stone

Answer 9

Identifying a claim as absurd without any proof to dismiss it.

“That’s absurd to think that the US would compromise an allied government. Let’s move on.”

Question 10

Fallacies: Argument from Silence

Answer 10

Accpeting a conclusion due to lack of evidence against it.

“I have proof it wasn’t the UK and no proof it wasn’t Germany. So, I assess it was Germany.”

Question 11

Fallacies: Argument from Repetition

Answer 11

Arguing so much that eventually people accept the conclusion to end it.

“We’ve been here for five hours; fine, Iran did the attack.”

Question 12

Fallacies: Burden of Proof

Answer 12

Requiring someone to disprove someone else’s claim instead of requiring proof.

Question 13

Fallacies: Middle Ground

Answer 13

Making a compromise between two points an accepted truth.

Question 14

Bias - Cognitive Biases

Answer 14

Cognitive Biases (Voreingenommenheit) are constraints on how we as analysts think that influence incorrect decisions and assessments. They allow analysts to create their own version of reality where inaccurate judgments and illogical interpretations occur.

Question 15

Bias - Mirror Image

Answer 15

Common bias that forms when you analyze a situation, person or entity with your context, background, experiences, etc. instead of theirs.

Question 16

Bias - Anchoring / Focusing

Answer 16

Overvaluing one piece of information. Forces an analyst to be unable to seek new information or analyze competing information.

Question 17

Bias - Confirmation bias

Answer 17

Selectively supporting one hypothesis. Reject refuting evidence. Greater significance to supporting data, lesser significance to contradicting data.

Question 18

Bias - Congruence Bias

Answer 18

• Form of confirmation bias
• Maps to competing Hypotheses
• Failure to consider alternative hyptotheses
• Risk when hypothesis fits well

Question 19

Bias - Hindsight Bias

Answer 19

“I knew it all along”. Unlikely outcome seen as obvious. Results in vicitm blaming.

Question 20

Bias - Illusory Correlation

Answer 20

Observe correlation when none exits. Common when associating an unusual or extreme experience with all future experiences. Stereotypes are the most common type of illusory correlation.

Question 21

Seven steps of analysis of competing hypotheses

Answer 21

1. Hypothesis
2. Evidence
3. Diagnostics
4. Refinement
5. Prioritization
6. Sensitivity
7. Conclusion and Evaluation

Question 22

AoCH - 1: Enumerate Hyptotheses

Answer 22

• Account for all evidence
• Include others
• Do not consider feasibility
• Include unproven hypotheses
• Exclude disproven hypotheses

Question 23

AoCH - 2: Support the Hyptoheses

Answer 23

• Seek additional evidence
• Include as evidence: deductions / assumptions
• Discuss missing evidence

Question 24

AoCH - 3: Diagnostics

Answer 24

Comparison of hypotheses in a matrix of hyptheses and evidence. Analysis proceeds horizontally across the hypotheses, for each piece of evidence individually.

Question 25

AoCH - 4: Refine the Matrix

Answer 25

• Remove nondiagnostic evidence
• Add overlooked evidence now applicable
• Include formulation of new hypotheses
• Document evidence excluded

Question 26

AoCH - 5: Prioritize the Hypotheses

Answer 26

The Hypotheses in the matrix are evaluated vertically, considering each hypotheses for its relative likelihood based on the evidence presented.

Question 27

AoCH - 6: Determine Evidentiary Dependence

Answer 27

• How many pieces of evidence are critical?
• What is confidence in this evidence?
• Is evidence ephemeral (flüchtig)?

Question 28

AoCH - 7: Report Conclusions

Answer 28

Final report.

• Hypotheses considered
• Key evidence
• Proper estimative language

Question 29

Three different types of analysis

Answer 29

• Link analysis
• Data analysis
• Trend analysis

Question 30

Common link analysis tools

Answer 30

• Maltego
• IBM Analyst’s Notebook
• Palantir Gotham / Metropolis
• Centrifuge
• Gephi / Graphviz
• Neo4J
• Titan
• Linkurious
• Cambridge Intelligence

Question 31

Data analysis

Answer 31

Cleaning, transforming, and modeling of data. Insights revealed through new techniques, models, and correlations between datasets.

Question 32

Temporal Data Analysis

Answer 32

Analysis of data over time.Reveals patterns of activity that reoccur. Useful for trending adversarial activity.

Question 33

Trend analysis

Answer 33

Kill Chain or Diamond Model completion yields intelligence. As you detect and response to intrusions over time, you’ll begin to notice trends in intrusions.

Question 34

Style Guide

Answer 34

A Style Guide can contain anything that’s useful to you that’s going to be mid-to-long-term value to your team but, at a minium, it must include:

• tream structure
• accepted lexicon
• words, phrases, and actions to not do
• Sample structure analytical techniques
• Sample intelligence requirements with exmaple outputs
• Guidance to analysts on how to create clusters and finalize intelligence products
• Key processes to follow

Question 35

Names / Identifiers

Answer 35

Name your own campaigns. Borrow names where it makes sense. Using own names is good:
- Frees analysts from reliance on others. Clarifies when your evidence defines campaigns slightly differently.

Question 36

Rosetta Stone

Answer 36

Maps known attribution, campaign names, and malware used

Question 37

One-to-One Mapping

Answer 37

Clusters cannot have a one-to-one relationship. Clusters can have links to other clusters. Links can be one or more of the Diamond Model vertices.

Question 38

Confidently Correlating Clusters

Answer 38

Visual and Link Analysis quickly identify patterns to help identify campaigns.

Quick pattern matching will incorrectly correlate some intrusions, which may eventually be key.

To confidently correlate clusters, we can use ACH mixed with Kill Chain and Diamond, as well as the Rule of 2.

Question 39

When to use AoCH for intrusion-cluster correlation?

Answer 39

• Lack of evidence makes correlation ambiguous
• Intrusion maps to multiple similarly defined clusters
• Disagreement between analysts exists.

Question 40

How to use AoCH for intrusion-cluster correlation?

Answer 40

• Follow AoCH steps
• Classify evidence based on intrusion definition: Kill Chain or Diamond
• Confidence in assessment informed by support in each clustering of evidence.

Question 41

External Intrusion Reports

Answer 41

• Complement Knowledge Gaps
• Do not merge with your data

Using the vendor info or name as your campaign name forces you to lose control of the narrative.

Question 42

Diamond Model Meta-Features

Answer 42

Timestamp (start and end)
Phase
Result
Direction
Methodology
Resources

Each core feature and its meta-features should have a confidence value.

Question 43

Six distinct steps for creating an activity group

Answer 43

1. Analytical Problem
2. Feature Selection
3. Creation
4. Growth
5. Analysis
6. Redefintion

Question 44

Rule of 2

Answer 44

The Rule of 2 is simply looking for consistency in intrusions in some key way to create an activity group. If the victims are the same or similar, you might have also identified a specific campaign.

Question 45

Retire Clusters

Answer 45

• Campaign states: Active, Inactive, Dormant
• Keep all information pertaining to clusters indefinitely
• Future intrusions can illuminate past
• Future clusters may correlate to past clusters

Question 46

What does ACH stand for?

Answer 46

Analysis of Competing Hypotheses